In Passing: Bea Arthur

SunTrust Banks Notifies Customers About Heartland Compromise

Sun Trust, a Southern banking corporation, ($179 billion in assets) mailed its Florida customers letters this week regarding SunTrust bank cards that were compromised in the Heartland Payment Systems breach that was first made public on January 20. The bank has 551 branches in the state and a total of 1,694 branches in 12 southern states. The letter informed customers that their personal information may have been compromised.

In the letter, Sun Trust Bank says it is issuing new cards with new numbers. Atlanta, GA-based Sun Trust spokesperson Hugh Suhr says the bank won't reveal how many of its customers were affected. But Suhr says these letters were only some of the notification letters sent to customers. Suhr explains that it took several months to mail out the letters, and the bank began mailing customers when first notified after Visa notified them after the January 20 public notification. Suhr adds Sun Trust first notified customers who were immediately affected by the compromise by fraudulent activity on their cards. No other details were available from the bank.

Friday, April 24, 2009

Gates to Nominate NSA Chief to Head New Cyber Command

Defense Secretary Robert Gates plans to nominate the director of the National Security Agency to head a new Pentagon Cyber Command, which will coordinate computer-network defense and direct U.S. cyber-attack operations, according to a draft memo by Mr. Gates.

The move comes amid rising concern in the government about attacks on U.S. networks. The command will run military cybersecurity operations and provide support to civil authorities, according to the memo reviewed by The Wall Street Journal.

NSA Director Keith Alexander, a three-star general, is expected to earn a fourth star when he moves to his new job at the Cyber Command. The memo doesn't state that directly, but says that his deputy at the new command will be of a three-star rank. It isn't clear who will succeed him at the NSA.

Russian Military Intelligence Chief Sacked

Russian President Dmitry Medvedev has dismissed Gen Valentin Korabelnikov, the chief of the country's powerful GRU military intelligence service, and signed a decree replacing him with Gen Alexander Shlyakhturov, Kremlin announced in a statement on Friday.

Kremlin said in the statement that Medvedev signed a decree "to remove Army General Valentin Vladimirovich Korabelnikov from the position of chief of the Main Intelligence Directorate (GRU) ... and to dismiss him from military service."

Though Kremilin did not provide the reason for the move, Russian media reports suggested that the sacking of Korabelnikov was over differences on the Kremlin-proposed reforms of the agency.

Korabelnikov, who had led the GRU since 1997, had reportedly tendered his resignation in protest at the proposed reforms of the military intelligence service, which included reorganization of the military intelligence service, cuts in military spending, changes in intelligence strategy and disbanding of several GRU-controlled special army units.

Conficker Still Kicking as a Real Threat

A malicious software program known as Conficker that many feared would wreak havoc on April 1 is slowly being activated, weeks after being dismissed as a false alarm, security experts said.

Conficker, also known as Downadup or Kido, is quietly turning thousands of personal computers into servers of e-mail spam and installing spyware, they said.

The worm started spreading late last year, infecting millions of computers and turning them into "slaves" that respond to commands sent from a remote server that effectively controls an army of computers known as a botnet.

"This is probably one of the most sophisticated botnets on the planet. The guys behind this are very professional. They absolutely know what they are doing," said Paul Ferguson, a senior researcher with Trend Micro, the world's third-largest security software maker.

DNS Plays Role in Craigslist Killer Case

Network technology may have played a critical role in law enforcement officials catching the alleged Craigslist killer before he was able to strike again.

According to DNSstuff, the vendor's DNS tools were used as part of the ongoing investigation to track and then capture alledged Craigslist killer Philip Markoff. Boston and Massachusetts law enforcement officials would not comment on the ongoing investigation, but DNSstuff CEO Rich Person says his company's tools helped track Markoff through e-mail and network technology via Craigslist.

"We have it on good authority that law enforcement officials used our tools for checking e-mail and network connectivity and tracking IP addresses, but they are unable to comment due to the ongoing nature of the case," Person says. "Interpol, the [Federal Bureau of Investigation] and the National Center for Exploited & Missing Children have also used our tools in the past for criminal investigations, specifically one in New Hampshire involving a threat against Hillary Clinton."

Markoff, 23, a Boston University medical student, was charged with robbing one woman he found via erotic services advertised through Craigslist and murdering another, Julissa Brisman, 26, of New York. Markoff was charged April 22 with the April 14 fatal shooting of Brisman and is being held without bail as more details emerge surrounding the case. He was also changed with the armed robbery and kidnapping of a prostitute who was tied up April 10 at Boston's Westin Copley.

RSA 2009: Conficker Infected Critical Hospital Equipment

The Conficker worm infected several hundred machines and critical medical equipment in an undisclosed number of hospitals recently, a security expert said on Thursday in a panel at the RSA security conference.

"It was not widespread, but it raises the awareness of what we would do if there were millions" of computers infected at hospitals or in critical infrastructure locations, Marcus Sachs told CNET News after the session. Sachs is the director of the SANS Internet Storm Center and a former White House cybersecurity official.

It is unclear how the devices, which control things like heart monitors and MRI machines, and the PCs got infected, he said. The computers are older machines running Windows NT and Windows 2000 in a local area network that was not supposed to have access to the Internet, however, the network was connected to one that has direct Internet access and so they were infected, he said.

RSA 2009: Conficker Hype a 'Problem,' Says FBI Cyber-Chief

Mainstream media hype leading up to the Conficker worm's April 1 software update may have distracted people from legitimate cyber threats, the U.S. Federal Bureau of Investigation's head of cyber security said Thursday.

"For the general public to focus on Conficker -- that's the threat they're worried about -- I think that is actually a bit of a problem for us as a society," said Shawn Henry, assistant director of the FBI’s Cyber Division, speaking at the RSA security conference in San Francisco Thursday. "There are dozens of Conficker-like threats and vulnerabilities out there.... while the media stories helped to raise awareness, I think that focusing people on that particular aspect, perhaps took away their attention from the overall threat, which is just as great or greater than Conficker itself."

Conficker spread, in part, by exploiting a previously patched bug in Microsoft Windows. So if all the Conficker hype helped people patch their computers and get up-to-date antivirus software, then it did some good, according to Paul Ferguson a researcher with Trend Micro. However, he added, "it's completely ludicrous to focus just on Conficker -- it is just a symptom of a much larger problem," he said via instant message.

RSA 2009: The Elusive Structure of the Cyber-Criminal Economy

As it turns out, stealing credentials is actually the easy part of cyber-theft. The hard part is using them to steal the get away with pilfering bank accounts.

Fortunately for phishers, they have no shortage of help in that regard. This ecosystem of hackers, malware writers and money mules was on full display at this week’s RSA Conference, where researchers described an increasingly compartmentalized hacker underground where thieves can buy subscriptions to online fraud services.

“As soon as you pay for the subscription your Trojan will start being distributed, you will have access to all these machines, you will have access to all of these machines, you will have access to all of the credentials – bank credentials and credit cards – that are being collected by the Trojan you are distributing. But you don’t have to do anything,” explained Uri Rivner, head of new technologies for RSA Consumer Solutions in EMC’s RSA security division.

Subscriptions can cost $300 a month, he said. Renting out networks of compromised computers can cost as little as $23 for 1,000 bots, Rivner said. However that price won’t buy an attacker a monopoly.

Conficker's Estimated Economic Cost? $9.1 Billion

In a recent blog post, the Cyber Secure Institute claims that based on their previous studies into the average cost of such malware attacks, the economic loss due to the Conficker worm could be as high as $9.1 billion.

Despite that their analysis also considered a much limited infection rate (200,000 infected hosts), they claim that the cost of the virus in this case is still around $200 million. The research excludes an important fact though - not only is Conficker still active and infecting, but also, according to the most recent infection rate estimate courtesy of the Conficker Working Group, the number of infected hosts is 3.5 million.

The number of Conficker infected hosts is in fact much higher than the number provided by the Conficker Working Group in the sense that behind a single IP there may be many other hosts NAT-ed in the local network, adding up yet another variable that has the potential to undermine such estimates.

The debate continues over whether the government has enough cybersecurity authority over the privately owned industrial control systems that run critical infrastructure such as electricity, water and nuclear power systems.

Some observers say the best approach is for the government to partner with the industry and nonfederal authorities that run the systems — as the Homeland Security Department now does. However, some critics say that approach isn't sufficient and new legislation is needed to make sure the systems that increasingly rely on information technology are safe from cyberattacks.

The situation is complicated by the variety of industrial control systems, the ways they differ from standard IT systems, the many ways the systems are used by different sectors, and their increasing interconnectedness.

IRS Awards Tax Payment Contract to RBS Worldpay

The Internal Revenue Service has awarded a contract to process tax return payments for the coming filing season to RBS Worldpay, a company that recently disclosed that a hacker break-in jeopardized financial data on 1.5 million payroll card holders and at least 1.1 million Social Security numbers.

The contract award comes a month after credit card giant Visa said RBS was no longer in compliance with the Payment Card Industry (PCI) security standards, a set of guidelines designed to protect cardholder data.

RBS spokesman Josh Passman said the company expects to be re-certified as PCI compliant "within the next few weeks."

The contract awarded to RBS is a what's known as a "zero dollar" contract, meaning the government doesn't award a specific dollar amount. Rather, the approved vendor takes a convenience fee for each transaction it processes. According to a copy of the contract listed at fedbizopps.gov, RBS's base convenience fee will be 1.95 percent of the amount the taxpayer owes the federal government.

The Cold War Moves To Cyber Space

Somewhere deep in Washington's national security apparatus, more than a few old-timers surely pine for the clarity of the Cold War. Black versus white, American versus Russian, spy versus spy - the good old days.

Now, however, they face more ephemeral threats from shadowy foes that prefer to cloak their identities.

"There's a cyber war going on," said Ed Giorgio, who spent nearly 30 years with the National Security Agency before starting an IT security consultancy in 2007. The problem, he says, is that identifying an online adversary isn't as easy as pinpointing an enemy tank formation.

"Adversaries are just as likely to be nationalists as they are likely to be countries," said Giorgio, echoing a theme that cyber security experts say is likely to shape the Pentagon's approach to building Internet defenses in an increasingly networked world.

Wednesday, April 22, 2009

Quote of The Day: Cord Blomquist

"Congressmen Towns and Issa don’t seem to realize that LimeWire is just one of hundreds of applications that allow end-users to share files with each other. To say that we should investigate these software applications for working as they were designed just plain misses the point."

"If the DoJ or the FTC chase this red herring far enough, they’ll likely place restrictions on file sharing programs—like mandating default settings about what files are shared—but this will do nothing to solve the very serious problems in the Pentagon and other agencies and will simply amount to another useless mandate."

- Cord Blomquist, writing on The Technology Liberation Front, regarding a report that the House Committee on Oversight and Government Reform is reopening its investigation of services like LimeWire that allow consumers to distribute files online.

RSA 2009: Criminal Infrastructure Lets Malware Thrive

The lurking Trojan and the password-hungry keylogger are only the tip of the iceberg.

As in today's globalized legit economy, malware's ability to spread and make money for its dastardly creators rests upon on a wide array of underhanded support services. At the RSA conference in San Francisco today, researchers who have dug deep into the criminal online infrastructure described some of those services.

Lawrence Baldwin of myNetWatchman.com described an "Xsox" botnet of malware-infected PCs that provides an anonymization network for criminals who want to hide their tracks - or make it look as if a bank login is coming from Alabama, say, instead of somewhere like the Ukraine.

The simple GUI interface that Baldwin displayed allows a bad guy to see all the currently available Xsox-infected computers, with their IP address, country, uptime and other information readily displayed. Simply clicking on one establishes an encrypted connection and use of that PC as an "exit node," Baldwin said, so that any connection to a bank site or anywhere else appears to come from that exit node instead of the crook's computer.

This service-providing botnet has been around for about 3 years, Baldwin said. He estimates it's used to withdraw between $2 and $5 million from banks per day, and says that the ISP that hosts the botnet has never received a complaint in 3 years.

RSA 2009: U.S. Already at War in Cyber Space

Cyber warfare is a reality, and the United States already has been engaged by a number of adversaries, a panel of experts said today at the RSA Security Conference.

“There is no question we are in the midst of a cyberwar,” added Dmitri Alperovitch, vice president of threat research at McAfee.

Because the war involves infiltration, espionage and sabotage rather than conventional weapons, it looks much like the Cold War waged by the United States and the Soviet Union in the post-World War II 20th century. But there are important differences, the panelists said. The Cold War was bipolar, with just two sides; there are many players in the cyberwar, and they each can have different goals.

“We knew what the rules of engagement were during the Cold War,” said Ed Giorgio, president of Ponte Technologies, who worked at the National Security Agency for 30 years. But no one knows what rules we are playing by now. “If we play the game by a different set of rules than our adversaries, we are going to lose. The rules of engagement are important.”

One of the greatest differences between the Cold War and the current cyber war is that we knew our Cold War adversaries. Today, we do not necessarily know the source of the cyberattacks that are hitting and sometimes penetrating our information systems.

RSA 2009: Why the Top U.S. Cyber Official is Losing Sleep

The United States' top cybersecurity official already knew the world's digital infrastructure needed help before she took on a 60-day cyberspace policy review. With the review now complete, she admits the gravity of the situation seeps into her dreams and disturbs her sleep.

"I worry about [questions surrounding cyber security] every night; they infiltrate my dreams," Melissa Hathaway, acting senior director for cyberspace for the National Security and Homeland Security Councils, said in a keynote speech at the RSA Conference Wednesday. "I often wake up at 2:30 or 4:30 in the morning having worked the problem in my sleep, and sometimes even develop a good idea."

President Obama tapped Hathaway, a Bush administration official who helped develop a multi-billion-dollar classified initiative to better secure federal systems and critical-infrastructure networks against online threats, to lead a 60-day review of the government's cybersecurity efforts in February.

She acknowledged what everyone attending RSA already knew: The nation's digital infrastructure -- the world's, for that matter -- is full of security holes that leave us vulnerable to those who would steal personal data for financial gain or to compromise national security.

To Catch a (Cyber) Thief: It's Not Easy

The FBI agent whose undercover sting operation led to the dismantling of an international cybercrime ring believes that increasing transnational police cooperation is turning the tide against digital criminals.

J. Keith Mularski, a special agent who works in the Federal Bureau of Investigation's Cyber Division, says that when it comes to fighting cybercrime, the bad guys may still hold a technological upper hand but that the good guys are getting better.

"We're not far behind," says Mularski, who spent a couple of years infiltrating a crime network that offered a range of stolen data--including credit card numbers, bank numbers and personal log-in information--to buyers online. The Web site, DarkMarket.ws, got shut down last October after a German radio network broke the news about the sting operation.

"I wouldn't say that we're winning the battle," said Mularski. Still, he insisted that law enforcement agencies are catching up. "I expect to see great strides" in the near term, he said.

One Bot-Infected PC = 600,000 Spam Messages a Day

Some bot-infected PCs can crank out as many as 25,000 spam messages per hour, new research released today claimed.

Orange, Calif.-based Marshal8e6 deliberately infected machines in the lab of its research arm, TRACElabs, with the malware responsible for the world's nine biggest spam botnets, then observed the PCs' behavior, including each bot's top-end spam capacity.

"One of the our objectives over the past few years has been to emphasize the dominant role that a handful of key botnets play in the spam we see today," said Phil Hay, a senior threat analyst at TRACElabs, in an e-mail today.

TRACElabs concluded that Rustock and Xarvester, the latter perhaps linked to the down-and-out Srizbi botnet, are the most efficient spam spewers of the nine bots. Each is capable of sending up to 25,000 messages per hour, or 600,000 per day, and 4.2 million per week.

Love Your Mother: Earth Day 2009

A Pentagon Cyber-Command Is in the Works

The Obama administration is finalizing plans for a new Pentagon command to coordinate the security of military computer networks and to develop new offensive cyber-weapons, sources said last night.

Planning for the reorganization of Defense Department and intelligence agencies is underway, and a decision is imminent, according to a person familiar with the White House plans.

The new command would affect U.S. Strategic Command, whose mission includes ensuring U.S. "freedom of action" in space and cyberspace, and the National Security Agency, which shares Pentagon cybersecurity responsibilities with the Defense Information Systems Agency.

The Pentagon plans do not involve the Department of Homeland Security, which has responsibility for securing the government's non-military computer domain.

Tuesday, April 21, 2009

RSA 2009 Another Year of Handwringing on Cyber Security

Deborah Gage writes on the San Francisco Chronicle "The Tech Chronicles" Blog:

Every year, the security industry gets together at the RSA Conference in San Francisco to learn new techniques for fighting the bad guys, who always seem to be a step ahead.

This year is no different. Security vendors say they are not doing enough and government officials say they are not doing enough because attacks are getting worse -- in 30 minutes, Symantec blocks 200,000 attacks.

One problem is that computer systems are still too complicated, which makes them easier to attack and harder to protect.

"Separate groups (in a company) do testing, manage the data center and do security audits and a lot of what they do is manual," said Enrique Salem, Symantec's CEO. "If a security team needs information, they call a different department to get the logs, and it takes a couple of days for the logs to arrive. A week later, they change their audit procedures."

If you listen to the director of the NSA, the government isn't doing much better. "We don't have a way today of sharing and seeing networks in a timely manner," said Lt. General Keith Alexander. "How do we close that gap with the antivirus vendors [whose detection of threats tends to lag because cybercriminals create new threats so quickly]. And how do we provide early warning?"

FBI, DoD Officials Recognized for Cyber Security Contributions

Two government officials were recognized this morning at the RSA Security conference for their contributions to cybersecurity.

Robert Lentz, deputy secretary for cybersecurity at the Defense Department, received the award for excellence in the field of security practices for his work during eight years at DOD in implementing the Common Access Card program and improving acquisitions, among other work.

FBI Special Supervisory Agency J. Keith Mularski, who helped to lead a two-year investigation of the Dark Market cybercriminal forum that resulted in 56 arrests last year, received the award for excellence in the field of public policy.

Fusion Center Dialogue Continues

Members of the private task force that has helped guide post-9-11 information sharing efforts addressed lawmakers Tuesday, agreeing with civil libertarians that more must be done to protect privacy amid the effort to detect terrorist plots.

Zoë Baird, president of the nonprofit Markle Foundation and co-chair of its Task Force on National Security in the Information Age, told members of the Senate Judiciary Committee's Subcommittee on Terrorism and Homeland Security that the country’s new information sharing environment (ISE) cannot succeed without the public’s trust, which can only be gained through proper privacy protections.

Baird recommended establishment of a government-wide privacy policy to eliminate doubts and contradictions about what is and is not acceptable in the effort to discern which activities, taken together, might constitute a terrorist plot.

The hearing came on the heels of several revelations bolstering civil libertarians’ arguments that the ISE and its national network of intelligence fusion centers are fertile ground for abuse of civil liberties, such as unconstitutional police investigations of peaceful political and religious groups.

NSA Chief: 'We Do Not Want to Run Cyber Security'

NSA Director Lt. Gen. Keith Alexander, speaking at the RSA Security Conference in San Francisco, told the audience of security professionals on Tuesday that the NSA does "not want to run cyber security for the United States government."

Aiming to dispel news reports -- and counter previous intelligence agency statements -- that the National Security Agency is angling to grab the top spot in the government's cyber security initiative, Alexander said it's a job that's bigger than one agency and that the NSA isn't looking to control but rather to partner with DHS, other defense departments, industry and law enforcement.

Alexander's statement seemed to belie statements made two months ago by Director of National Intelligence Admiral Dennis Blair, who told the House intelligence committee that the NSA, rather than the Department of Homeland Security which currently oversees cybersecurity, should take over securing cyberspace.

Hitting Botnets Where It Hurts at RSA Conference

Joe Stewart, director of malware research at SecureWorks, is pushing for security researchers to adopt a concerted, three-pronged effort to take down the Web’s most troublesome botnets.

Call it offense in-depth.

“If you look at how the criminal considers whether to continue their enterprise or not, they are probably affected by three things: risk, effort, reward,” he said in an interview with eWEEK at the RSA Conference in San Francisco. “We should be fighting these guys on all three of these fronts.”

Targeting any one of those elements isn’t going to significantly change the threat landscape, but a coordinated, focused attack on all three fronts could make a difference, he said. Doing that, however, requires a stealthy approach by focus groups dedicated to targeting specific botnets or cyber-criminals on a continuous basis.

Computer Spies Breach Fighter-Jet Project

Siobhan Gorman, August Cole, and Yochi Dreazen write on The Wall Street Journal:

Computer spies have broken into the Pentagon's $300 billion Joint Strike Fighter project -- the Defense Department's costliest weapons program ever -- according to current and former government officials familiar with the attacks.

Similar incidents have also breached the Air Force's air-traffic-control system in recent months, these people say. In the case of the fighter-jet program, the intruders were able to copy and siphon off several terabytes of data related to design and electronics systems, officials say, potentially making it easier to defend against the craft.

The latest intrusions provide new evidence that a battle is heating up between the U.S. and potential adversaries over the data networks that tie the world together. The revelations follow a recent Wall Street Journal report that computers used to control the U.S. electrical-distribution system, as well as other infrastructure, have also been infiltrated by spies abroad.

Attacks like these -- or U.S. awareness of them -- appear to have escalated in the past six months, said one former official briefed on the matter. "There's never been anything like it," this person said, adding that other military and civilian agencies as well as private companies are affected. "It's everything that keeps this country going."

Monday, April 20, 2009

Notorious Adware Vendor Zango Shuts Its Doors

Zango Inc., the adware distributor fined $3 million by the Federal Trade Commission in 2006 for sneaking software onto people's PCs, has closed its doors after being acquired by video search engine company Blinkx PLC.

Zango's former chief technology officer blamed the company's demise on several factors, but at the top of the list were the very practices that got it in hot water with the FTC -- and with security analysts who had labeled the company's software spyware.

"So why did Zango ultimately fail? 1: Zango screwed up its distribution," Ken Smith, a co-founder who stepped down from his ITO spot last summer, said in a long entry on his personal blog yesterday.

Sunday, April 19, 2009

U.S. Toll in Iraq, Afghanistan

As of Sunday, April 19, 2009, at least 4,274 members of the U.S. military had died in the Iraq war since it began in March 2003, according to an Associated Press count.

The figure includes eight military civilians killed in action. At least 3,433 military personnel died as a result of hostile action, according to the military's numbers.

The AP count is three fewer than the Defense Department's tally, last updated Friday at 10 a.m. EDT.

As of Sunday, April 19, 2009, at least 606 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures Friday at 10 a.m. EDT.

UK: Soaring Online Crime Hits Consumer Confidence

Nearly three-quarters of UK consumers believe that the recession has put them at greater risk of identity theft and related crimes, according to the latest biannual Security Index report from Unisys.

The software and services firm surveyed nearly 1,000 UK citizens, and found that 88 per cent are worried about criminals obtaining and using their credit card or bank details, or gaining unauthorised access to or misusing their personal information.

The Security Index, which measures the level of security concern among respondents, rose 20 per cent from a figure of 135 a year ago to 150 this year.

Neil Fisher, vice president of global security solutions at Unisys, argued that confidence in financial institutions has been undermined by the economic crisis, and that criminals are increasingly turning online to make money.